Top 5 BYOD Pitfalls Your Bank Should Avoid

Banks must make sure their bring-your-own-device mobile policies provide benefits such as productivity and employee satisfaction, not new headaches around technology, security and compliance

Bring-your-own-device (BYOD) offers powerful benefits for banks, from enabling better customer service at a lower cost to improving employee productivity and satisfaction. Just as ATMs transformed retail banking a generation ago, mobile devices make it possible to provide service in more places and reduce reliance on traditional teller windows and service desks. By allowing employees to choose their preferred work devices -- PC, Mac, mobile -- you can better attract the tech-savvy young professionals your organization needs to succeed.

As you move to implement BYOD in your bank, though, it's important to think through your approach carefully. A Ponemon Institute study found that regulated data is most at risk when it sits on a mobile device, according to 69% of respondents, which included U.S. IT and data security practitioners. Make sure you avoid the common pitfalls so BYOD can fully deliver on its promise for your bank -- not create a new set of headaches around technology, security, and compliance.

Pitfall 1: Taking a one-size-fits-all approach to BYOD

People often assume that BYOD means allowing employees to bring their own personal devices to work, and perhaps receive a stipend to offset their cost -- but this is not always the right approach. In fact, Citrix recommends considering a different model for BYOD in the banking industry: buying the device for the employee instead of providing a stipend. This fulfills the two essential aspects of BYOD -- increasing mobility and allowing user choice -- but makes it possible to maintain a level of control and management that employees might resent on a personally owned device.

Whether or not you choose to buy BYOD devices for your employees, there will still be some workers who bring their own personal devices into your environment: contractors and temps. While corporate devices can be managed at the device level, application-level management may be more appropriate for personal devices to allay concerns about privacy. You'll also need a way to ensure that enterprise data is never accessed or sent from personal accounts. To meet these needs, make sure the solutions that support your BYOD strategy offer the flexibility to selectively apply mobile device management (MDM), mobile application management (MAM), and secure mobile email as needed.

As any technology executive knows, requirements change quickly. Often, enterprises launch their BYOD initiative with a device management mindset, and plan their technology approach accordingly -- only to discover that they need to provide enterprise-ready apps, data collaboration capabilities and access to legacy apps from mobile. Email management and secure browsing of intranet content are often overlooked as well, but represent equally important parts of a complete strategy for mobility and BYOD. Before long, the mobile environment becomes a hodgepodge of non-integrated technologies with all the management pain that implies. Many enterprises also realize much later that they have not addressed scalability and data throughput needs for mobile users. Before you take that first step, think about what it truly means to mobilize your business, and then form a technology strategy to address the full range of needs through an integrated platform.

Pitfall 3: Not considering the full range of platforms/devices/apps employees will use

Even if most of your employees will be on the same couple of platforms, we've all seen how fast market share and consumer tastes can shift. To future-proof your BYOD initiative, you need to be able to empower people on any type of device -- Windows, iOS, and Android on mobile; Windows and MacOS on laptops.

Think about how you'll deliver the full range of apps people rely on. For laptops, desktop virtualization provides a solution for diverse Windows and Mac platforms. For mobile devices, consider a staged approach beginning with the mobilization of core business apps like email, calendaring, and document access so people see immediate value. Follow this with vertical third-party apps like CRM or point-of-sale systems. Third, create mobile apps -- but make sure you also have a simple, scalable way to make Windows apps available on tablets without having to develop mobile versions one-by-one.

Pitfall 4: Leaving out a rich data collaboration platform

Employees often need to share sensitive data both inside and outside the organization, from non-public financial data to confidential M&A information. Unless you provide a convenient way for them to do so, they're all too likely to resort to a consumer service like Dropbox or Box -- creating a compliance nightmare. To prevent data leakage and other risks, you need a secure, managed, and fully auditable data collaboration platform -- one that provides a simple, consumer-like experience to ensure full adoption. This functionality should be accessible on PCs and Macs as easily as on mobile devices with full integration to the email clients to support the full spectrum of collaboration scenarios.

Pitfall 5: Having an incomplete BYOD policy (or none at all)

In a highly regulated industry like banking, a complete, well thought-our policy is essential for implementing BYOD without increasing risk. Your policy should encompass considerations such as eligibility, allowed devices, service availability, cost sharing, acceptable use, device support and maintenance, and -- most importantly -- security.

As the role of BYOD and mobility in banking grows, new ways of serving customers and empowering employees will transform our organizations. By avoiding these pitfalls, you can keep your institution at the leading edge of our industry.

Healthcare is a great test "case"/area for many of these emerging technology areas. My understanding from covering insurance is that providers (doctors, mainly) are ironically resistant to change and don't like to have new systems imposed on them, even if there are proven benefits. So any successes in educating providers about benefits, policy, process, etc., should provide some real best practices to other industries. Thanks for your insights.

Great example. When it comes to security and compliance, technology can't meet the demands alone. Companies need training and education of employees to enforce the rules. CISOs are also facing this challenge. Many thought that a good firewall or other security technology was enough. But all employees need to be aware of threats and, in this case, potential HIPAA violations.

In healthcare (just like in banking with SOX), not having a good BYOD policy can result in large HIPAA fines, so a good BYOD policy is very important but it is really the education of staff about the policy that will make it a success or failure. An good example is that our hospital put a BYOD policy in place to use Tigertext for HIPAA and SOX complient text messaging, but the doctors still used their unsecure regular SMS text messaging. Even though we had a good BYOD policy, it wasn't enough, we had to bring each doctor in to admin for training and explaining the HIPAA issues and how to use the app correctly. Now we have most of the doctors in compliance which has significently lowered the HIPAA risks and increased productivity for the doctors and the hospital. Here is an example of a BYOD policy similar to ours: http://www.hipaatext.com/wp-co...

Thanks for the note. There are a variety of ways to secure BYO devices. Sometimes, a firm insists on the ability to lock down the entire device, but this doesn't seem to be the preferred way anymore. Sometimes, a firm can secure the data on the device (in a wrapper, or box). Or, as you mentioned, a firm can secure the connection to the corporate systems that house the data.

BYOD will continue growing as mobile devices continue to play a greater role in our lives. That's why most major IT players are offering solutions to address such BYOD challenges as security and device management.

Does BYOD come with headaches? Of course it does. However, security issues and IT management headaches (how do I support all those devices?) can be addressed by using new HTML5 technologies that enable users to connect to applications and systems without requiring IT staff to install anything on user devices. For example, Ericom AccessNow is an HTML5 RDP client that enables remote users to securely connect from iPads, iPhones and Android devices to any RDP host, including Terminal Server and VDI virtual desktops, and run their applications and desktops in a browser. This enhances security by keeping applications and data separate from personal devices.

Since AccessNow doesn't require any software installation on the end user device Gă˘ just an HTML5 browser, network connection, URL address and login details - IT staff end up with less support hassles. The volunteer or temporary employee that brings in their own device merely opens their HTML5-compatible browser and connects to the URL given them by the IT admin.

I would have assumed any company with a BYOD policy was already buying the devices for employees, rather than giving them a stipend to purchase what they want, but if many are still doing the latter, it seems very unsecure. The company buying the device would allow IT to install the necessary security controls before issuing to the employee.

It seems that BYOD and mobile security is no longer about the device. Instead, mobile security is about securing the data on the device. Some FIs no longer care what device you use. Instead, the company encrypts and secures a portion of the device that holds corporate data. In the event of a compromised device, the company can wipe the "company" data on the device, while the rest of the device remains untouched.

Interesting stuff. I do wonder about #3, though. When it comes to financial institutions, sometimes it's not so much "bring your own device" as it is "you can use the device you prefer from the selection of the most popular handsets and OSes." I don't think this is a bad approach Gă÷ I think in a highly regulated industry where security is paramount, it's important to ensure that IT understands the environment through which data is being moved.